[dns-operations] RFC2308, negative answer caching, and the largest gTLDs
Andrew White
andrew at vivalibre.com
Thu Mar 8 23:31:36 UTC 2018
BIND, at least, appears to cache NXDOMAIN responses from .com gTLD for
900s, the SOA TTL, rather than 86400, the SOA MIN. (Hint: dig +norec allows
cache peeking in BIND)
Is the assertion accurate that the SOA MIN is a noop if SOA TTL <= SOA MIN
then? It would seem so for BIND. Do other caching resolvers handle negative
cache TTLs differently?
On Thu, Mar 8, 2018 at 5:59 AM, James Stevens <James.Stevens at jrcs.co.uk>
wrote:
> RFC2308/3 defines the negative-cache TTL as the TTL on the SOA record sent
> in a negative-response - i.e. the less of SOA/TTL and SOA/MIN
>
> 2308/3 : "indicates how long a resolver may cache the negative answer"
>
>
>
> Where as RFC2308/4 defines the negative-cache TTL as SOA/MIN
>
> 2308/4 : "the TTL to be used for negative responses, is the new defined
> meaning of the SOA minimum field"
>
>
>
> Where SOA/TTL is less than SOA/MIN this seems to create a conflict as to
> how long to cache negative-responses.
>
>
>
>
>
>
> On 07/03/18 23:26, Andrew White wrote:
>
>> Hi all,
>>
>> As we Shirley all often do, I was browsing RFC2308 (
>> https://tools.ietf.org/html/rfc2308 ) and noticed that a caching
>> resolver is supposed to cache negative answers for "x" seconds, where x is
>> the lower of these two values: SOA MIN field and SOA TTL.
>>
>> The excerpt in question (emphasis mine):
>>
>> Name servers authoritative for a zone MUST include the SOA record of
>> the zone in the authority section of the response when reporting an
>> NXDOMAIN or indicating that no data of the requested type exists.
>> This is required so that the response may be cached.*The TTL of this
>> record is set from the minimum of the MINIMUM field of the SOA record and
>> the TTL of the SOA itself, and indicates how long a resolver may cache the
>> negative answer.* The TTL SIG record associated with the
>> SOA record should also be trimmed in line with the SOA's TTL.
>>
>> I posit that this implies that a given zone's SOA TTL and SOA MIN should
>> generally be the same.
>>
>> However, com/net/org have 900 for SOA TTL and 86400 for SOA MIN. Why?
>>
>> Andrew
>>
>>
>>
>>
>>
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-operations mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20180308/2137d891/attachment.html>
More information about the dns-operations
mailing list